Chapter 8:
Implementing Virtual
Private Networks
CCNA Security
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Chapter 8: Objectives
In this chapter you will:
•
Describe VPNs and their benefits.
•
Describe VPNs and their benefits.
•
Identify the Cisco VPN product line and the security features of these products.
•
Configure a site-to-site VPN GRE tunnel.
•
Describe the IPsec protocol and its basic functions.
•
Compare AH and ESP protocols.
•
Describe the IKE protocol and modes.
•
Describe IPsec negotiation and the five steps of IPsec configuration.
•
Explain how to prepare IPsec by ensuring that ACLs are compatible with IPsec.
•
Configure IKE policies using CLI.
•
Configure the IPsec transform sets using CLI.
•
Configure the crypto ACLs using CLI.
•
Configure a crypto map using CLI.
•
Troubleshoot the IPsec configuration.
•
Configure IPsec using CCP.
•
Configure a site-to-site VPN using the Quick Setup VPN Wizard in CCP.
•
Configure a site-to-site VPN using the step-by-step VPN Wizard in CCP.
•
Troubleshoot VPNs using CCP.
•
Explain how the corporate landscape is changing to support telecommuting.
•
Compare remote-access IPsec VPNs and SSL VPNs.
•
Explain how SSL is used to establish a secure VPN connection.
•
Describe the Cisco Easy VPN feature.
•
Configure a VPN server using CCP.
•
Connect a VPN client using the Cisco VPN Client software.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Chapter 8
8.0 Introduction
8.1 VPNs
8.2 GRE VPNs
8.3 IPsec VPN Components and Operation
8.4 Implementing Site-to-Site VPNs with CLI
8.5 Implementing Site-to-Site VPNs with CCP
8.6 Implementing Remote-Access VPNs
8.6 Summary
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
8.1 VPNs
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
VPN Overview
Virtual Private Networks
 A Virtual Private Network (VPN) is a private network that is created via
tunneling over a public network, usually the Internet.
 VPNs have multiple benefits, including:
• Compatibility with broadband technology
• Cost savings
• Security
• Scalability
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
VPN Overview
Types of VPNs
 In the simplest sense, a VPN connects two endpoints, such as two
remote offices, over a public network to form a logical connection.
 The logical connections can be made at either Layer 2 or Layer 3 of the
OSI model.
 Common examples of Layer 3 VPNs are:
• Generic Routing Encapsulation (GRE)
• Multiprotocol Label Switching (MPLS)
• Internet Protocol Security (IPsec)
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
VPN Topologies
Site-to-Site VPNs
 Created when connection devices on both sides of the VPN
connection are aware of the VPN configuration in advance.
 The VPN remains static and internal hosts have no knowledge
that a VPN exists.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
VPN Topologies
Remote-Access VPNs
• Allows for dynamically changing connection information and
can be enabled and disabled when needed.
• Example – A telecommuter’s PC being responsible for
establishing the VPN.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
VPN Topologies
Remote-Access VPNs
 An evolution of circuit-switching networks, such as plain old
telephone service (POTS) or Integrated Services for Digital
Network ISDN.
 Support a client/server architecture. A VPN client (remote host)
requires secure access to the enterprise network via a VPN
server device at the network edge.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
VPN Topologies
Site-to-Site VPNs Cont.
 An extension of a classic WAN network.
 Connect remote networks to each other.
 A site-to-site VPN can connect a branch office network to a
company headquarter network.
 Replaces a leased line or Frame Relay connection, because
most corporations now have Internet access.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
VPN Topologies
VPN Client Software Operations
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
VPN Topologies
Cisco IOS SSL VPN
 The Cisco IOS SSL VPN is a technology that provides remoteaccess connectivity from almost any Internet-enabled location
with a web browser and its native SSL encryption.
 SSL VPN currently delivers three modes of SSL VPN access:
• Clientless
• Thin client
• Full client
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
VPN Solutions
Cisco VPN Product Lines
Presentation_ID
Product Choice
Remote-Access VPN
Site-to-Site VPN
Cisco VPN-Enabled Routers and Switches
Secondary role
Primary role
Cisco PIX 500 Series Security Appliances (Legacy)
Secondary role
Primary role
Cisco ASA 5500 Adaptive Security Appliances
Primary role
Secondary role
Cisco VPN 3000 Series Concentrators
Primary role
Secondary role
SOHO Routers (Cisco 850 Series ISR and Linksys)
Primary role
Secondary role
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
VPN Solutions
VPN Services with Cisco ASA
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
VPN Solutions
Cisco IPsec Client Options
Cisco remote-access VPNs can
use three IPsec clients:
• Cisco VPN Client software Installed on the PC or laptop
of an individual.
• Cisco Remote Router VPN
Client - A Cisco remote router
(configured as a VPN client)
that connects small office,
home office (SOHO) LANs to
the VPN.
• Cisco AnyConnect Secure
Mobility Client - Nextgeneration VPN client that
provides remote users with
secure VPN connections to
the Cisco ASA.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
VPN Solutions
Cisco VPN Hardware Modules
To enhance performance and offload the encryption task to specialized
hardware.
• VPN Advanced Integration Module (AIM) - A broad range of Cisco routers
can be equipped with VPN AIM installed inside the ISR chassis to offload
encryption tasks from the router CPU.
• Cisco IPsec VPN Shared Port Adapter (SPA) - Delivers scalable and costeffective VPN performance for higher-end Cisco Catalyst series switches and
routers.
• Cisco VPN Accelerator Module 2+ (VAM2+) - Provides high performance
encryption/compression and key generation services for IPsec VPN
applications on Cisco 7204VXR, 7206VXR, and 7301 routers.
VPN AIM
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
8.2 GRE VPNs
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
Configuring a Site-to-Site GRE Tunnel
GRE Tunnels
 There are two popular site-to-site tunneling protocols:
• GRE
• IPsec
 When should you use GRE or IPsec?
IP
Only?
User Traffic
Yes
No
No
Use GRE
Tunnel
Presentation_ID
Yes
Unicast
Only?
© 2008 Cisco Systems, Inc. All rights reserved.
Use IPsec
VPN
Cisco Confidential
18
Configuring a Site-to-Site GRE Tunnel
GRE Tunnels Cont.
GRE can encapsulate almost any other type of packet.
•
•
•
•
Presentation_ID
Uses IP to create a virtual point-to-point link between Cisco routers
Supports multiprotocol (IP, CLNS, …) and IP multicast tunneling (and,
therefore, routing protocols)
Best suited for site-to-site multiprotocol VPNs
RFC 1702 and RFC 2784
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
Configuring a Site-to-Site GRE Tunnel
GRE Header
 GRE encapsulates the entire original IP packet with a standard IP
header and GRE header.
 GRE tunnel header contains at least two 2-byte mandatory fields:
•
•
Presentation_ID
GRE flag
Protocol type
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
Configuring a Site-to-Site GRE Tunnel
GRE Header Cont.
 GRE does not provide encryption, but it can be monitored with a
protocol analyzer.
 While GRE and IPsec can be used together, IPsec does not
support multicast/broadcast and, therefore, does not forward
routing protocol packets. However, IPsec can encapsulate a GRE
packet that encapsulates routing traffic (GRE over IPsec).
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
Configuring a Site-to-Site GRE Tunnel
Configuring GRE
1. Create a tunnel interface: interface tunnel 0
2. Assign the tunnel an IP address.
3. Identify the source tunnel interface: tunnel source
4. Identify the tunnel destination: tunnel destination
5. (Optional) Identify the protocol to encapsulate in the GRE
tunnel: tunnel mode gre ip
By default, GRE is tunneled in an IP packet.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
Configuring a Site-to-Site GRE Tunnel
Configuring GRE Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
Configuring a Site-to-Site GRE Tunnel
Configuring GRE Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
Configuring a Site-to-Site GRE Tunnel
Configuring GRE Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
Configuring a Site-to-Site GRE Tunnel
Configuring GRE Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
Configuring a Site-to-Site GRE Tunnel
GRE with IPsec
 The advantage of GRE is that it can be used to tunnel non-IP
traffic over an IP network.
 Unlike IPsec, which only supports unicast traffic, GRE supports
multicast and broadcast traffic over the tunnel link. Therefore,
routing protocols are supported in GRE.
 GRE does not provide encryption; if needed, IPsec should be
configured.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
8.3 IPSec VPN
Components and
Operation
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
Introducing IPsec
IPsec As an IETF Standard
 A “framework” of open standards developed by the IETF to
create a secure tunnel at the network (IP) layer.
• The IETF spells out rules for secure communications.
• RFC 2401 - RFC 2412
 IPsec works at the network layer, protecting and authenticating IP
packets between participating IPsec devices, or peers.
 IPsec is not bound to any specific encryption or authentication
algorithms, keying technology, or security algorithms.
 IPsec allows newer and better algorithms to be implemented
without patching the existing IPsec standards.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Introducing IPsec
IPsec As an IETF Standard Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
Introducing IPsec
IPsec As an IETF Standard Cont.
 The IPsec
framework consists
of five building
blocks.
 The administrator
selects the
algorithms used to
implement the
security services
within that
framework.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
Introducing IPsec
IPsec as an IETF Standard
Using the IPsec framework,
IPsec provides these essential
security functions.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32
Introducing IPsec
Confidentiality
Confidentiality is achieved through encryption.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
33
Introducing IPsec
Confidentiality Cont.
Encryption algorithms
and key lengths that
VPNs use:
• DES
• 3DES
• AES
• SoftwareOptimized
Encryption
Algorithm (SEAL)
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
34
Introducing IPsec
Integrity
 A method of proving data integrity is required to
guarantee that the content has not been altered.
 A data integrity algorithm can provide this guarantee.
 Hashed Message Authentication Code (HMAC) is a data
integrity algorithm that guarantees the integrity of the
message using a hash value.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
35
Introducing IPsec
Integrity Cont.
Two common HMAC
algorithms:
• HMAC-Message
Digest 5 (HMACMD5)
• HMAC-Secure Hash
Algorithm 1 (HMACSHA-1)
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
36
Introducing IPsec
Authentication
 The device on the other end of
the VPN tunnel must be
authenticated before the
communication path is
considered secure.
 There are two primary methods
of configuring peer
authentication:
• Pre-shared Keys (PSKs)
• RSA signatures
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
37
Introducing IPsec
Authentication Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
38
Introducing IPsec
Authentication Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
39
Introducing IPsec
Secure Key Exchange
 Encryption algorithms, such as
DES, 3DES, AES, and the MD5
and SHA-1 hashing algorithms
require a symmetric, shared
secret key to perform encryption
and decryption.
 How do the encrypting and
decrypting devices get the
shared secret key?
 The Diffie-Hellman (DH) key
agreement is a public key exchange
method that provides a way for two
peers to establish a shared secret
key that only they know.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
40
IPsec Security Protocols
IPsec Framework Protocols
IPsec uses two main protocols to create a security framework:
•
AH: Authentication Header
•
ESP: Encapsulating Security Payload
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
41
IPsec Security Protocols
Authentication Header
AH provides authentication and optional replay-detection
services.
• It authenticates the sender of the data.
• AH operates on protocol number 51.
• AH supports the HMAC-MD5 and HMAC-SHA-1 algorithms.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
42
IPsec Security Protocols
Authentication Header Cont.
 AH does not provide confidentiality (encryption).
• It is appropriate to use when confidentiality is not required or
permitted.
• All text is transported unencrypted.
 It only ensures the origin of the data and verifies that the data has not
been modified during transit.
 If the AH protocol is used alone, it provides weak protection.
 AH can have problems if the environment uses NAT.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
43
IPsec Security Protocols
Authentication Header Cont.
The AH process occurs in this order:
1. The IP header and data payload are hashed using the shared secret key.
2. The hash builds a new AH header, which is inserted into the original packet.
3. The new packet is transmitted to the IPsec peer router.
4. The peer router hashes the IP header and data payload using the shared secret
key, extracts the transmitted hash from the AH header, and compares the two
hashes.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
44
IPsec Security Protocols
ESP
ESP provides the same security services as AH (authentication
and integrity) and encryption service.
• It encapsulates the data to be protected.
• It operates on protocol number 50.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
45
IPsec Security Protocols
ESP Cont.
Please don’t use bullet formatting for single sentences. Promote the subbullets to level 1. ESP can also provide integrity and authentication.
•
First, the payload is encrypted using DES (default), 3DES, AES, or SEAL.
•
Next, the encrypted payload is hashed to provide authentication and data
integrity using HMAC-MD5 or HMAC-SHA-1.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
46
IPsec Security Protocols
Transport and Tunnel Modes
ESP and AH can be applied to IP packets in two different modes.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
47
IPsec Security Protocols
Transport and Tunnel Modes Cont.
 Security is provided only for the Transport Layer and above. It
protects the payload but leaves the original IP address in
plaintext.
 ESP transport mode is used between hosts.
 Transport mode works well with GRE, because GRE hides the
addresses of the end devices by adding its own IP.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
48
IPsec Security Protocols
Transport and Tunnel Modes Cont.
 Tunnel mode provides security for the complete original IP
packet. The original IP packet is encrypted and then it is
encapsulated in another IP packet (IP-in-IP encryption).
 ESP tunnel mode is used in remote access and site-to-site
implementations.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
49
Internet Key Exchange
Security Associations
 The IPsec VPN solution
•
•
•
•
Negotiates key exchange parameters (IKE).
Establishes a shared key (DH).
Authenticates the peer.
Negotiates the encryption parameters.
 The negotiated parameters between two devices are known as a
security association (SA).
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
50
Internet Key Exchange
Security Associations
 An SA is a basic building block of IPsec. Security associations are
maintained within a SA database (SADB), which is established by
each device.
 A VPN has SA entries defining the IPsec encryption parameters
as well as SA entries defining the key exchange parameters.
 SAs represent a policy contract between two peers or hosts, and
describe how the peers use IPsec security services to protect
network traffic.
 SAs contain all the security parameters needed to securely
transport packets between the peers or hosts, and practically
define the security policy used in IPsec.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
51
Internet Key Exchange
Security Associations Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
52
Internet Key Exchange
Security Associations Cont.
 IKE helps IPsec securely exchange cryptographic keys between
distant devices. Combination of the ISAKMP and the Oakley Key
Exchange Protocol.
 Key Management can be preconfigured with IKE (ISAKMP) or
with a manual key configuration. IKE and ISAKMP are often used
interchangeably.
 The IKE tunnel protects the SA negotiations.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
53
Internet Key Exchange
IKE Phase 1 and Phase 2
 There are two phases in every IKE negotiation
• Phase 1 (Authentication)
• Phase 2 (Key Exchange)
 IKE negotiation can also occur in:
• Main mode
• Aggressive mode
 The difference between the two is that Main mode requires the
exchange of six messages while Aggressive mode requires only
three exchanges.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
54
Internet Key Exchange
IKE Phase 1 and Phase 2 Cont.
 IKE Phase One:
•
•
•
•
•
Negotiates an IKE protection suite.
Exchanges keying material to protect the IKE session (DH).
Authenticates each other.
Establishes the IKE SA.
Main mode requires the exchange of six messages while
Aggressive mode only uses three messages.
 IKE Phase Two:
• Negotiates IPsec security parameters, known as IPsec transform
sets.
• Establishes IPsec SAs.
• Periodically renegotiates IPsec SAs to ensure security.
• Optionally performs an additional DH exchange.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
55
Internet Key Exchange
IKE Phase 1 and Phase 2 Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
56
Internet Key Exchange
Three Key Exchanges
 Three exchanges transpire during IKE Phase 1.
 The first exchange between the initiator and the responder.
 Establishes the basic security policy.
 Peers negotiate and agree on the algorithms and hashes that are
used to secure the IKE communications.
 Rather than negotiate each protocol individually, the protocols are
grouped into sets, called IKE policy sets.
 The IKE policy sets are exchanged first.
Negotiate IKE Policy
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
69
Internet Key Exchange
Three Key Exchanges Cont.
The second exchange creates and exchanges the DH public keys
between the two endpoints.
Negotiate IKE Policy
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
70
Internet Key Exchange
Three Key Exchanges Cont.
Using the DH algorithm, each peer generates a shared secret without
actually exchanging secrets.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
71
Internet Key Exchange
Three Key Exchanges Cont.
 In the third exchange, each end device must authenticate the other
end device before the communication path is considered secure.
 The initiator and recipient authenticate each other using one of the
three data-origin authentication methods:
• PSK
• RSA signature
• RSA encrypted nonce
IPsec Authentication
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
72
Internet Key Exchange
Aggressive Mode
 Aggressive mode is another
option for IKE Phase 1.
Aggressive Mode Phase 1
 Aggressive mode is faster
than Main mode due to
fewer exchanges.
Aggressive Mode Phase 2
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
73
Internet Key Exchange
IKE Phase 2
 The purpose of IKE Phase 2 is to negotiate the IPsec security
parameters that will be used to secure the IPsec tunnel.
 IKE Phase 2 is called quick mode.
 IKE Phase 2 can only occur after IKE has established the secure
tunnel in Phase 1.
 Quick mode negotiates the IKE Phase 2 SAs.
 In this phase, the SAs that IPsec uses are unidirectional. A separate
key exchange is required for each data flow.
Quick Mode
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
74
8.4 Implementing Site-toSite IPsec VPNs with
CLI
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
75
Configuring a Site-to-Site IPsec VPN
IPsec VPN Negotiation
 A VPN is a communications channel used to form a logical
connection between two endpoints over a public network.
 IPsec VPN negotiation involves several steps.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
76
Configuring a Site-to-Site IPsec VPN
IPsec VPN Negotiation Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
77
Configuring a Site-to-Site IPsec VPN
IPsec VPN Negotiation Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
78
Configuring a Site-to-Site IPsec VPN
IPsec VPN Negotiation Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
79
Configuring a Site-to-Site IPsec VPN
IPsec VPN Negotiation Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
80
Configuring a Site-to-Site IPsec VPN
IPsec Configuration Tasks
Some basic tasks must be completed to configure a site-tosite IPsec VPN.
Task 1. Ensure that ACLs configured on interfaces are compatible
with the IPsec configuration.
Task 2. Create an ISAKMP (IKE) policy.
Task 3. Configure the IPsec transform set.
Task 4. Create a crypto ACL.
Task 5. Create and apply a crypto map.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
81
Task 1 – Configure Compatible ACLs
Protocols 50 and 51 and UDP Port 500
Ensure that the ACLs are configured so that ISAKMP, ESP,
and AH traffic are not blocked at the interfaces used by
IPsec.
• ESP is assigned IP protocol number 50.
• AH is assigned IP protocol number 51.
• ISAKMP uses UDP port 500.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
82
Task 1 – Configure Compatible ACLs
Configuring Compatible ACLs Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
83
Task 2 – Configure IKE
Configuring Compatible ACLs Cont.
 The second major task in configuring Cisco IOS ISAKMP support is to
define the parameters within the IKE policy.
 Multiple ISAKMP policies can be configured on each peer participating in
IPsec.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
85
Task 2 – Configure IKE
Configuring Compatible ACLs Cont.
The crypto isakmp policy command invokes ISAKMP policy
configuration command mode, where you can set the ISAKMP
parameters.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
86
Task 2 – Configure IKE
Negotiating ISAKMP Policies
Two endpoints must negotiate ISAKMP policies before they agree on the
SA to use for IPsec.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
87
Task 2 – Configure IKE
Negotiating ISAKMP Policies Cont.
Policy numbers are
only locally
significant and do
not have to match
between IPsec
peers.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
88
Task 2 – Configure IKE
Pre-Shared Keys
 The key string cisco123 matches.
 The address identity method is specified.
 The ISAKMP policies are compatible.
 Default values do not have to be configured.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
89
Task 3 – Configure the Transform Sets
Defining the Transform Sets
A transform set is a combination of individual IPsec transforms designed to
enact a specific security policy for traffic.
Router(config)# crypto ipsec transform-set transform-set-name ?
ah-md5-hmac
AH-HMAC-MD5 transform
ah-sha-hmac
AH-HMAC-SHA transform
esp-3des
ESP transform using 3DES(EDE) cipher (168 bits)
esp-des
ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-null
ESP transform w/o cipher
Notes:
• esp-md5-hmac and esp-sha-hmac provide more data integrity.
• They are compatible with NAT/PAT and are used more frequently than
ah-md5-hmac and ah-sha-hmac.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
90
Task 3 – Configure the Transform Sets
Configuring the Transform Sets
 Transform sets are negotiated during IKE Phase 2 quick mode.
 R1 has transform sets ALPHA, BETA, and CHARLIE configured, while
R2 has RED, BLUE, and YELLOW configured.
 Each R1 transform set is compared against each R2 transform set in
succession until a match is found.
R1
Presentation_ID
R2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
91
Task 3 – Configure the Transform Sets
Configuring the Transform Sets Cont.
R1
Presentation_ID
R2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
92
Task 3 – Configure the Transform Sets
Configuring the Transform Sets Cont.
R1
Presentation_ID
R2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
93
Task 3 – Configure the Transform Sets
Configuring the Transform Sets Cont.
R1
Presentation_ID
R2
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
94
Task 3 – Configure the Transform Sets
Configuring the Transform Sets Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
95
Task 4 – Configure the Crypto ACLs
Defining Crypto ACLs
 Crypto ACLs identify the traffic flows to protect.
 Outbound crypto ACLs select outbound traffic that IPsec should protect.
Traffic not selected is sent in plaintext.
 If desired, inbound ACLs can be created to filter and discard traffic that
should have been protected by IPsec.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
96
Task 4 – Configure the Crypto ACLs
Crypto ACL Syntax
Outbound crypto ACLs define the interesting traffic to be encrypted. All
other traffic passes as plaintext.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
97
Task 4 – Configure the Crypto ACLs
Symmetric Crypto ACL Syntax
Symmetric crypto ACLs must be configured for use by IPsec.
RouterA#(config)
access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
RouterB#(config)
access-list 110 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
98
Task 5 – Apply the Crypto Map
Defining Crypto Maps
Crypto maps define:
•
•
•
•
•
•
•
Presentation_ID
Which traffic to protect using a crypto ACL
Granularity of the flow to be protected by a set of SAs
Who the remote IPsec peers are
Local address used for the IPsec traffic (optional)
Which type of IPsec security is applied to this traffic (transform sets)
Key management method
SA lifetimes
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
99
Task 5 – Apply the Crypto Map
Crypto Map Syntax
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
100
Task 5 – Apply the Crypto Map
Crypto Map Syntax Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
101
Task 5 – Apply the Crypto Map
Applying the Crypto Map
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
102
Verify and Troubleshoot the IPsec Configuration
Defining Crypto Maps
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
103
Verify and Troubleshoot the IPsec Configuration
IPsec Show Commands
R1# show crypto map
Crypto Map “MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 102
access-list 102 permit ip host 172.30.1.2 host 172.30.2.2
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MINE, }
The show crypto map command verifies configurations and shows the
SA lifetime.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
104
Verify and Troubleshoot the IPsec Configuration
IPsec Show Commands Cont.
R1# show crypto isakmp policy
Protection suite of priority 110
encryption algorithm:
DES - Data Encryption Standard (56 bit keys).
hash algorithm:
Message Digest 5
authentication method: pre-share
Diffie-Hellman group:
#1 (768 bit)
lifetime:
86400 seconds, no volume limit
Default protection suite
encryption algorithm:
DES - Data Encryption Standard (56 bit keys).
hash algorithm:
Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group:
#1 (768 bit)
lifetime:
86400 seconds, no volume limit
The show crypto isakmp policy command displays configured IKE policies
and the default IKE policy settings.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
105
Verify and Troubleshoot the IPsec Configuration
IPsec Show Commands Cont.
The show crypto ipsec transform-set command shows all
configured transform sets.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
106
Verify and Troubleshoot the IPsec Configuration
Verifying Security Associations
R1# show crypto isakmp sa
dst
172.30.2.2
src
172.30.1.2
state
QM_IDLE
conn-id
47
slot
5
show crypto ipsec sa indicates that an SA is established, the rest of
the configuration is assumed to be working.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
107
Verify and Troubleshoot the IPsec Configuration
Troubleshooting VPN Connectivity
 This is an example of the Main Mode error message.
 The failure of Main Mode suggests that the Phase I policy does
not match on both sides.
R1# debug crypto isakmp
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h:
ISAKMP (0:1); no offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with
peer at 150.150.150.1
 Verify that the Phase I policy is on both peers and ensure that all
the attributes match.
•
•
•
•
Presentation_ID
Encryption: DES or 3DES
Hash: MD5 or SHA
Diffie-Hellman: Group 1 or 2
Authentication: rsa-sig, rsa-encr or pre-share
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
108
8.5 Implementing Site-toSite IPsec VPNs with
CCP
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
109
Configuring IPsec VPN Configuration with CCP
Steps for IPsec VPN Configuration with CCP
 In addition to configuring IPsec VPNs via CLI, it is possible to
configure them using a CCP wizard.
 To select and start a VPN wizard, follow these steps:
Step 1. Click Configure in the main toolbar.
Step 2. Click the Security folder and then click the VPN subfolder.
Step 3. Select a wizard from the VPN list.
Step 4. Click the VPN implementation subtype.
Step 5. Click Launch the selected task to start the wizard
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
112
Configuring IPsec VPN Configuration with CCP
Steps for IPsec VPN Configuration with CCP Cont.
Step 1. Click Configure in the main toolbar.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
113
Configuring IPsec VPN Configuration with CCP
Steps for IPsec VPN Configuration with CCP Cont.
Step 2. Click the Security folder and then click the VPN subfolder.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
114
Configuring IPsec VPN Configuration with CCP
Steps for IPsec VPN Configuration with CCP Cont.
Step 3. Select a wizard from the VPN list.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
115
Configuring IPsec VPN Configuration with CCP
Steps for IPsec VPN Configuration with CCP Cont.
Step 4. Click the VPN implementation subtype.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
116
Configuring IPsec VPN Configuration with CCP
Steps for IPsec VPN Configuration with CCP Cont.
Step 5. Click Launch the selected task to start the wizard.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
117
Configuring IPsec VPN Configuration with CCP
CCP VPN Wizards
Under the VPN folder are three subfolders:
• The SSL VPN
• The GET VPN
• VPN components
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
118
Configuring IPsec VPN Configuration with CCP
Site-to-Site VPN Wizards
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
119
Configuring IPsec VPN Configuration with CCP
Quick Setup and Step-by-Step Wizard
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
120
VPN Wizard – Quick Setup
Quick Setup
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
121
VPN Wizard – Quick Setup
Finishing Quick Setup
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
122
VPN Wizard – Step-by-Step Setup
Step-by-Step Setup
Step 1. Choose the
outside interface to
connect to the IPsec
peer over the
untrusted network.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
123
VPN Wizard – Step-by-Step Setup
Step-by-Step Setup Cont.
Step 2. Specify the
IP address of the
peer.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
124
VPN Wizard – Step-by-Step Setup
Step-by-Step Setup Cont.
Step 3. Choose
the authentication
method and
specify the
credentials. Use
long, random
PSKs to prevent
brute-force and
dictionary attacks
against IKE.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
125
VPN Wizard – Step-by-Step Setup
Step-by-Step Setup Cont.
Step 4. Click Next.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
126
VPN Wizard – Step-by-Step Setup
IKE Proposal
Step 1. Click Add
to define a proposal
and specify the IKE
proposal priority,
encryption
algorithm, hashing
algorithm, IKE
authentication
method, DH group,
and IKE lifetime.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
127
VPN Wizard – Step-by-Step Setup
IKE Proposal Cont.
Step 2. From the
Add IKE Policy
window, configure
the IKE proposal
specifics and click
OK when done.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
128
VPN Wizard – Step-by-Step Setup
IKE Proposal Cont.
Step 3. When
finished with adding
IKE policies,
choose the
proposal to use.
Click Next.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
129
VPN Wizard – Step-by-Step Setup
Transform Set
Step 1. Click Add
to define the
transform set and
specify the name,
integrity algorithm,
encryption
algorithm, mode of
operation, and
optional
compression.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
130
VPN Wizard – Step-by-Step Setup
Transform Set Cont.
Step 2. From the
Add Transform Set
window, configure
the transform set
specifics and click
OK when done.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
131
VPN Wizard – Step-by-Step Setup
Transform Set Cont.
Step 3. When
finished adding
transform sets,
choose the
transform set to
use, and click Next
to proceed to the
next task.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
132
VPN Wizard – Step-by-Step Setup
Traffic to Protect – Subnet to Subnet
Step 1. On the
Traffic to Protect
window, click the
Protect all traffic
between the
following subnets
option.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
133
VPN Wizard – Step-by-Step Setup
Traffic to Protect – Subnet to Subnet Cont.
Step 2. Define the
IP address and
subnet mask of the
local network
where IPsec traffic
originates.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
134
VPN Wizard – Step-by-Step Setup
Traffic to Protect – Subnet to Subnet Cont.
Step 3. Define the
IP address and
subnet mask of
the remote
network where
IPsec traffic is
sent.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
135
VPN Wizard – Step-by-Step Setup
Traffic to Protect – Custom ACL
Step 1. On the
Traffic to Protect
window, click the
Create/Select an
access-list for
IPsec traffic
option.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
136
VPN Wizard – Step-by-Step Setup
Traffic to Protect – Custom ACL Cont.
Step 2. Click the
ellipsis (...) button
to choose an
existing ACL or to
create a new one.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
137
VPN Wizard – Step-by-Step Setup
Traffic to Protect – Custom ACL Cont.
Step 3. To use an
existing ACL, select
the Select an
existing rule (ACL)
option. To create a
new ACL, select the
Create a new rule
(ACL) and select
option.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
138
VPN Wizard – Step-by-Step Setup
Configuration Summary – Add a Rule
Step 1. Give the access
rule a name and
description.
Step 2.Click Add button
to start adding rule
entries.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
139
VPN Wizard – Step-by-Step Setup
Configuration Summary – Add an Entry
Step 1. From the Select
an action drop-down
list, select an action and
enter a description of
the rule entry in the
Description text box.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
140
VPN Wizard – Step-by-Step Setup
Configuration Summary – Add an Entry Cont.
Step 2. Define the
source hosts or networks
in the Source
Host/Network pane, and
the destination hosts or
networks in the
Destination Host/Network
pane.
Each rule entry defines
one pair of source and
destination addresses or
networks. Be sure to use
wildcard bits and not the
subnet mask bits in the
Wildcard Mask field.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
141
VPN Wizard – Step-by-Step Setup
Configuration Summary – Add an Entry Cont.
Step 3. (Optional) To
provide protection for a
specific protocol, choose
the desired protocol radio
button (TCP, UDP, or
ICMP) and the port
numbers. If IP is selected
as the protocol, the rule
applies to all IP traffic.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
142
VPN Wizard – Step-by-Step Setup
Configuration Summary – Summary
 At the end of the
configuration, the wizard
presents a summary of
the configured
parameters.
 To modify the
configuration, click Back.
Click Finish button to
complete the
configuration.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
143
Verifying, Monitoring, and Troubleshooting VPNs
Testing the Tunnel
 Click Generate Mirror to
generate a mirroring
configuration that is
required on the other end
of the tunnel.
 This is useful if the other
router does not have
CCP and must use the
CLI to configure the
tunnel.
 Click Configure >
Security > VPN > Siteto-Site VPN > Edit Site
to Site VPN>Test
Tunnel.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
144
Verifying, Monitoring, and Troubleshooting VPNs
View IPsec Tunnels
To view all IPsec
tunnels, their
parameters, and status,
on the Cisco
Configuration
Professional window,
click Monitor>Security
>VPN Status> IPsec
Tunnels.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
145
8.6 Implementing RemoteAccess VPNs
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
146
Shift to Telecommuting
Advantages of Telecommuting
 Organizational benefits:
• Continuity of operations
• Increased responsiveness
• Secure, reliable, and manageable access to information
• Cost-effective integration of data, voice, video, and applications
• Increased employee productivity, satisfaction, and retention.
 Social benefits:
• Increased employment opportunities for marginalized groups
• Less travel and commuter related issues.
 Environmental benefits:
• Reduced carbon footprints, both for individual workers and
organizations
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
147
Shift to Telecommuting
Benefits of Telecommuting
 Telecommuting offers organizational, social, and
environmental benefits.
 Studies have shown that telecommuting improves employee
lifestyles by decreasing job-related stresses.
 There may be some drawbacks.
 Example - telecommuters working from home can
experience distractions that they would not have at work.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
148
Introducing Remote Access VPNs
Remote-Access VPN Options
There are two primary methods for deploying remote-access
VPNs, as shown in the figure:
1. IPsec
2. SSL
IPsec Remote
Access VPN
Presentation_ID
Any
Application
Anywhere
Access
© 2008 Cisco Systems, Inc. All rights reserved.
SSL-Based
VPN
Cisco Confidential
149
Introducing Remote Access VPNs
Access Requirements Determine Remote-Access VPNs
IPsec exceeds SSL in many significant ways:
• Number of applications that are supported
• Strength of encryption
• Strength of authentication
• Overall security
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
150
SSL VPNs
Cisco IOS SSL VPN Technology
Cisco SSL VPN deliver many remote-access connectivity
features and benefits:
• Web-based clientless access and full network access without
preinstalled desktop software.
• Protection against viruses, worms, spyware, and hackers on a VPN
connection by integrating network and endpoint security in the Cisco
SSL VPN platform.
• Simple, flexible, and cost-effective licensing. SSL uses a single
license.
• Single device for both SSL VPN and IPsec VPN.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
151
SSL VPNs
Types of SSL VPN Access
SSL VPNs provide different types of access:
• Clientless
• Thin client
• Full client
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
152
SSL VPNs
Steps to Establishing SSL VPN
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
153
SSL VPNs
SSL VPN Design
SSL VPN design considerations:
• User connectivity
• Router feature
• Router hardware
• Infrastructure planning
• Implementation scope
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
154
Cisco Easy VPN
Cisco Easy VPN
Cisco Easy VPN consists of three components:
• Cisco Easy VPN Server - A Cisco IOS router or Cisco ASA Firewall
acting as the VPN head-end device in site-to-site or remote-access
VPNs.
• Cisco Easy VPN Remote - A Cisco IOS router or Cisco ASA
Firewall acting as a remote VPN client.
• Cisco VPN Client - An application supported on a PC used to
access a Cisco VPN server.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
155
Cisco Easy VPN
Cisco Easy VPN Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
156
Cisco Easy VPN
Cisco Easy VPN Endpoints
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
157
Cisco Easy VPN
Cisco Easy VPN Connection Steps
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
158
Configuring a VPN Server with CCP
CCP Tasks for Cisco Easy VPN Server
Configuring Cisco Easy VPN Server functionality using CCP
consists of two major tasks:
Task 1. Configure prerequisites, such as AAA, privileged users, and the
enable secret password, based on the chosen VPN design.
Task 2. Configure the Cisco Easy VPN Server.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
159
Configuring a VPN Server with CCP
CCP Tasks for Cisco Easy VPN Server
On the CCP main window, click Configure, click the Security folder,
click the VPN subfolder, and then select the Easy VPN Server option.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
160
Configuring a VPN Server with CCP
Initial Easy VPN Server Steps
 Specify the router interface where the VPN connection will terminate
and the authentication method (e.g., pre-shared keys, digital
certificates, or both).
 Click Next to display the IKE Proposals window.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
161
Configuring a VPN Server with CCP
Initial Easy VPN Server Steps Cont.
When configuring IKE proposals, use the default policy that is predefined
by CCP or add a custom IKE Policy.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
162
Configuring a VPN Server with CCP
Selecting the Transform Set
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
163
Configuring a VPN Server with CCP
Group Authorization & Group Policy Lookup
Easy VPN group policies can be
stored:
• Local - All groups are in the
router configuration in
NVRAM.
• RADIUS - The router uses
the RADIUS server for
group authorization.
• RADIUS and Local - The
router can look up policies
stored in an AAA server
database that can be
reached via RADIUS.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
164
Configuring a VPN Server with CCP
Group Authorization & Group Policy Lookup Cont.
Configure the Group Authorization parameters
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
165
Configuring a VPN Server with CCP
Easy VPN Server Summary
After all the steps are completed, the Easy VPN Server wizard displays a
summary of the configured parameters.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
166
Configuring a VPN Server with CCP
Easy VPN Server Summary Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
167
Configuring a VPN Server with CCP
Easy VPN Server Summary Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
168
Connecting with a VPN Client
Cisco VPN Client
 The Cisco VPN Client is simple to deploy and operate.
 It allows organizations to establish end-to-end, encrypted VPN tunnels
for secure connectivity for mobile employees or telecommuters.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
169
Connecting with a VPN Client
Connection Status
 When the Cisco VPN client is installed, open the Cisco VPN client
window to start an IPsec VPN connection on a PC.
 The application lists the available preconfigured sites.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
170
Summary
 A VPN is a private network that is created via tunneling
over a public network, usually the Internet.
 Organizations typically deploy site-to-site VPNs and
remote access VPNs.
 GRE is a tunneling protocol that is used to create a pointto-point link to Cisco routers.
 GRE supports multiprotocol tunneling, including IP.
 IPsec only supports unicast traffic and, therefore, does not
support routing protocols, because they require multicast
or broadcasts. GRE supports multicast or broadcast traffic
and is, therefore, often used in combination with IPsec.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
171
Summary Cont.
 VPNs require the use of modern encryption techniques to
ensure secure transport of information.
 IPsec is a framework of open standards that establishes
the rules for secure communications.
 IPsec relies on existing algorithms to achieve encryption,
authentication, and key exchange.
 IPsec can encapsulate a packet using either
Authentication Header (AAH) or the more secure option,
ESP.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
172
Summary Cont.
 IPsec uses the IKE protocol to establish the key exchange
process.
 There are several tasks required to create a site-to-site
VPN:
• Ensure that the existing ACLs on perimeter routers, firewalls, or
other routers do not block IPsec traffic.
• Define the parameters within the IKE policy, which are used
during negotiation to establish ISAKMP peering.
• Define the IPsec transform set, which consists of a combination of
an AH transform, an ESP transform, and the IPsec mode.
• Configure the crypto ACL to define which traffic is protected
through the IPsec tunnel.
• Create and apply a crypto map that specifies the parameters of
the IPsec SAs.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
173
Summary Cont.
 More organizations offer telecommuting options to their
employees.
 Remote access connections can be provided using a
remote access IPsec VPN solution or an SSL VPN.
 SSL VPN is a technology that provides remote-access
connectivity from almost any Internet-enabled location with
a web browser and its native SSL encryption.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
174
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
175